There has been an international shift towards stronger privacy and data protection laws, something the UK Information Commissioner, Elizabeth Denham, described as a “race to the top” when she spoke at the International Privacy Forum in Wellington this month.

She said the European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018 was the new benchmark in data protection. It is the product of a convergence of the best available in privacy and data protection regulation found around the world.

In her keynote speech Ms Denham told the over 200-strong audience that this was the GDPR’s global pedigree. Regulatory instruments and practices developed elsewhere were embedded in its DNA during its drafting. “The Europeans took the Best in Breed to create a Best in Show.”

“The movement towards global convergence is nothing new. If you look at the broad history of privacy and data protection over the last 40 years, there has been a convergence of understanding about what it means for an organisation to process personal data responsibly. And there’s a general agreement about the rights that individuals should have over that data.”

She said it appeared to be a race to the top when it came to data protection standards globally and some aspects of the GDPR appeared to be leading the race.

Outside the EU

Ms Denham warned against a cut and paste of the GDPR as a solution for jurisdictions outside the EU. It was fit for purpose in Europe and not necessarily elsewhere. But the GDPR was an important catalyst for law reform outside Europe.

She referred to New Zealand’s privacy law reform. “Yours is a 25-year-old law. When it was drafted in the 1990s, who could have envisioned the social media ecosystem, AI and machine learning, and individuals’ desire for data portability?”

“Lawmakers will be influenced by other jurisdictions when their citizens come to them wondering why they don’t enjoy the same privacy rights as people across a border, across an ocean. People can be persuasive when it comes to politics. I also think there will be a continuing trend towards convergence of our laws and practices – and this convergence is speeding up.”

You can read the text of Elizabeth Denham’s speech here. You can also watch it here.

More on GDPR

The Forum was designed to benefit from the international talent which had travelled to New Zealand to participate in both the International Working Group on Data Protection in Telecommunications meeting in Queenstown the week before, and the Asia Pacific Privacy Authorities forum in Wellington that week.

Ms Denham’s speech was followed by a panel session on the GDPR with the UK’s Deputy Commissioner, James Dipple-Johnstone, the US Federal Trade Commission’s Assistant Director, Mark Eichorn, and the Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk. The discussion was chaired by Anna Johnston of Salinger Privacy, Australia.

The discussion canvassed views on how the GDPR would be enforced and the types of breaches and size of businesses that were likely to be pursued by EU regulators. Many attendees were curious about how likely it might be that an agency would face penalties of up to 4 percent of global turnover or 20 million Euros. They were no doubt reassured to hear there was only a remote probability that EU regulators would pursue small to medium businesses in New Zealand for minor inadvertent breaches. The focus of EU regulators would initially be within Europe and not to the maximum penalty, like this early German example and this case from Austria. It was a matter of watching how GDPR enforcement would evolve over time.

Other emerging issues

The second session introduced three speakers with international topics. Google’s Global Privacy Counsel, Peter Fleischer, gave a presentation on Google’s use of artificial intelligence (AI) in its products and product development. There were obvious benefits such as making better clinical predictions of a patient’s needs, identifying the likelihood and impact of serious weather events, and the finding and removal of illegal and extremist online content. But he added AI was not perfect, ethics was a key consideration, and research and development was ongoing.  

Privacy researcher and University of Auckland Associate Professor Gehan Gunasekera gave us a summary of the Chinese government’s social credit scoring system, including the social benefits such as more orderly queuing and people paying bills on time – both of which the government attributes to people wanting to avoid negative ratings on their individual score. Low scores lock people out of accessing certain privileges or consumer deals.

The panel’s last speaker was HeLEX Research Associate Andelka Phillips who summarised her research on DNA ancestry websites and services and the numerous red flags these raised for consumers. She said there was a significant risk posed by handing over a biometric as unique as a person’s DNA to a party that might not have adequate protections or policies in place to prevent loss or disclosure.

Asia Pacific snapshot

In the final session, we heard from data protection authorities in Australia, Philippines and Japan. Deputy Commissioner Rachel Dixon from the Office of the Victorian Information Commissioner described the controversy around Australia’s proposed backdoor encryption breaking legislation. She is critical of the Assistance and Access Bill and says passing it would introduce systemic vulnerabilities into communications technology which wrongdoers might be able to exploit, thus compromise the government’s intention of using it as a law enforcement tool.

The Philippines Privacy Commissioner Raymund Liboro explained how his country’s Data Privacy Act 2012 was relatively young as was the regulator, the National Privacy Commission. In 2016, the commission investigated the largest data breach in Philippines history when the Commission on Elections was hacked and the personal information of 55 million Filipinos was stolen. Since that year, the commission was accepted as a member of the International Conference of Data Protection and Privacy Commissioners and the Asia Pacific Privacy Authorities.

Our final speaker was the Adviser to the Head of Office of International Affairs in Japan, Kosuke Kizawa, who talked about the process by which Japan achieved EU adequacy as a destination for data processing earlier this year. EU adequacy status is something which New Zealand achieved in late 2012. Mr Kizawa explained the importance of the EU decision and how it was an integral first step to achieving a significant free trade agreement between Japan and the EU.

Video recordings of each of the International Privacy Forum sessions is available on our website and our YouTube channel.

Image credit: Europe United flag via Pixabay (Creative Commons).